Tracing Vendors: A Middlebox-Centric Study of Network Interference

Middleboxes are intermediary network devices that facilitate traffic monitoring, filtering, and modification. They serve a broad spectrum of functions, ranging from benign tasks to highly controversial ones such as censorship. A solid body of work exists that describes methods to probe or identify middleboxes from remote including censorship middleboxes; similarly, much research has gone into fingerprinting network devices. However, there is comparatively little work that aims to understand which type of devices occurs in which networks. In this study, we choose to investigate middleboxes that reside in networks reported for network interference. We use yarrpbox, a scanning tool, to detect middleboxes and map them to vendors utilizing third-party datasets. Covering more than 500 Autonomous Systems reported for interference, we identify about 250 middleboxes, which we study in detail. We find that the location of middleboxes across countries does not correlate to the Internet Freedom Index, and we identify a distribution of vendors as well as a distribution across countries that differs markedly from previous reports. Most middleboxes in the reported networks are actually likely to serve multiple purposes, and this complexity calls for new measurement methodologies to determine whether the reported interference is a byproduct of some configuration or the primary purpose of a middlebox. We also identify a number of security issues in a number of devices, lending further support for the hypothesis that middleboxes can increase the attack surface of a network. We conclude with a discussion of directions to understand middlebox deployment with further measurements.